SB2025090271 - Multiple vulnerabilities in Meinberg LANTIME firmware

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025090271

SB2025090271 - Multiple vulnerabilities in Meinberg LANTIME firmware

Published: September 2, 2025 Updated: September 24, 2025

Security Bulletin ID SB2025090271
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 30% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Double free (CVE-ID: CVE-2025-32988)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when exporting a certificate with an otherName in the SAN (subject alternative name) extension. A remote attacker can trick the victim into export a specially crafted certificate, trigger a double free error on the ASN.1 structure and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Heap-based buffer overflow (CVE-ID: CVE-2025-32989)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when handling the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. A remote attacker can supply a specially crafted X.509 certificate to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) NULL pointer dereference (CVE-ID: CVE-2025-32990)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when the certtool program is invoked with a template file with a number of string pairs for a single keyword. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


4) NULL pointer dereference (CVE-ID: CVE-2025-6395)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when a TLS 1.3 handshake involves a Hello Retry Request and the second Client Hello omits the PSK which was present in the first Client Hello. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


5) Integer overflow (CVE-ID: CVE-2025-47268)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an integer overflow within the ping command when handling ICMP Echo Reply packets. A remote attacker can trick the victim to ping a malicious server, trigger an integer overflow and crash the application. 


6) Integer overflow (CVE-ID: CVE-2025-48964)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in ping. A remote attacker can send a specially crafted ICMP Echo Reply packet to trigger an integer overflow and crash the application.


7) Out-of-bounds read (CVE-ID: CVE-2025-5318)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the sftp_handle() function. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.


8) Improper access control (CVE-ID: CVE-2025-6020)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions within the pam_namespace module when handling user-controlled paths. A local user can use specially crafted symlinks and race conditions to execute arbitrary code as root. 


9) Protection mechanism failure (CVE-ID: CVE-2025-32462)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient implementation of security measures when running sudo with -h (--host) option. If the current configuration provides access to users based on the host they are allowed to execute commands, a local user can bypass such a restriction by providing the hostname via the "-h" option they are allowed to execute commands. The vulnerability affects systems that use a common sudoers file that is distributed to multiple machines or when LDAP-based sudoers (including SSSD) is used. 


10) Protection mechanism failure (CVE-ID: CVE-2025-32463)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient implementation of security measures when running sudo with -R (--chroot) option. A local user can run arbitrary commands as root, even if they are not listed in the sudoers file.

Note, the vulnerability affects installations with Name Service Switch (NSS) enabled. 


Remediation

Install update from vendor's website.

References